The RISKS Digest
Volume 34 Issue 11

Sunday, 24th March 2024

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

DMVs Nationwide Hit With Outage, Officials In Multiple States Say Across America
U.S. Patch
DMV services disrupted nationwide by system out[r]age
Henry Baker
McDonald's blames global outage on third party
BBC
Re: McDonald's hit by outages at stores worldwide
Steve Bacher
Re: McDonald's
=?UTF-8?Q?turgut_kalfao=C4=9Flu?
Tesco and Sainsbury's working to fix technical issues that suspended food deliveries to customers
CNN
Anti-drone radio jammers marketed on Amazon and Google despite being outlawed by FCC rules
Steve Bacher
A ChatGPT for Music Is Here. Inside Suno, the Startup Changing Everything
Rolling Stone
Albertans have lost at least $156M to fraud this decade
CBC
Chinese & Western Scientists Identify 'Red Lines' on AI Risks
Financial Times
Unpatchable vulnerability in Apple chip leaks secret encryption keys
Ars Technica
Apple has effectively abandoned HomeKit Secure Routers
Monty Solomon
Paper about the gofetch attack
Victor Miller
Why Tech Companies Are Not Your Friends: Lessons From Roku
NYTimes
Is your smart device safe from hackers? New FCC program will label cybersecure technology
LA Times
Hackers can unlock over 3 million hotel doors in seconds
ArsTechnica
Man Boarded Delta Flight Using Ticket Ruse
NYTimes
Never-before-seen data wiper may have been used by Russia against Ukraine
ArsTechnica
UPS worker charged after $1.3M Apple product theft spree fines, report finds
WashPost
Social Security program failed to properly notify people of huge service
Ars Technica
FCC bans cable TV industry's favorite trick for hiding full cost of service
Ars Technica
Hype cycle meets rinse cycle: does dishwasher really need a mobile app?
Rob Pegoraro
LAUSD's new student advisor is an AI bot that designs academic plans, suggests books
LATimes
Lawyer warns 'integrity of the entire system in jeopardy' if rising use of AI in legal circles goes wrong
CBC
I recommend DISABLING Google's new Chrome "real-time, privacy-preserving URL protection"
Lauren Weinstein
Why Tech Companies Are Not Your Friends: Lessons From Roku
NYTimes
Re: Risks of Leap Years and Dumb Digital Watches
Mark Brader
Re: AT&T proposals to kill landlines and more in California
Lauren Weinstein
Re: Hackers Breached Key Microsoft Systems
Bernie Cosell
Info on RISKS (comp.risks)

DMVs Nationwide Hit With Outage, Officials In Multiple States Say | Across America (U.S. Patch)

Gabe Goldberg <gabe@gabegold.com>
Thu, 21 Mar 2024 18:10:04 -0400
CROSS AMERICA ” All motor vehicle departments in the United States went down
Thursday, according to officials in multiple states.  Officials in Illinois,
Virginia, Massachusetts, Arkansas and Colorado all confirmed they
experienced an outage.

"We are currently experiencing a nationwide network outage at our DMV
facilities," tweeted Illinois Secretary of State Alexi Giannoulias. "All
DMVs across the country are currently down."

Virginia's DMV said the outage stemmed from "a third-party technical
outage," and that driver's license services were unavailable online and at
all in-person locations.

"We apologize for the inconvenience. Please stay tuned to social media for
updates," the agency said.

https://patch.com/virginia/annandale/s/ivgud/dmvs-nationwide-hit-with-outage-officials-in-multiple-states-say

  A technical outage hit all DMVs at once? Need details..


DMV services disrupted nationwide by system out[r]age

Henry Baker <hbaker1@pipeline.com>
Fri, 22 Mar 2024 02:03:12 +0000
I'm surprised that anyone could tell the difference from typical DMV
operations.  ..

https://www.nbcnews.com/news/rcna144496

DMV services disrupted nationwide by system out[r]age

The American Association of Motor Vehicle Administrators said the outage was
due to “a loss in cloud connectivity'' Thursday.


McDonald's blames global outage on third party (BBC)

Gabe Goldberg <gabe@gabegold.com>
Sat, 16 Mar 2024 18:03:32 -0400
McDonald's has revealed the technical problems which brought much of its
fast food chain to a standstill on Friday were caused by a third party
provider.

The international restaurant said the global outage happened during a
"configuration change" and stopped stores taking orders in the UK, Australia
and Japan—amongst others.

McDonald's stressed the issue was not caused by a cyberattack.

https://www.bbc.com/news/business-68573106

Configuration change hits single point of failure, craters world-wide
restaurant chain. Nice. A plus for momentary healthy eating, though.


Re: McDonald's hit by outages at stores worldwide From: Steve Bacher <sebmb1@verizon.net>

<>
Sun, 17 Mar 2024 08:46:14 -0700
This comes at a bad time for McDonald's, since they are aggressively rolling
out kiosk-only ordering in place of humans. Recently I had to deal with one
of those in my local McD's—the counterwoman kindly fingerwalked through
the menus for me to order 2 coffees but the kiosks had no provision for the
senior discount price so she still had to ring it up manually for me
instead.

So it's kind of karmic justice in a way.


Re: McDonald's (RISKS-34.10)

=?UTF-8?Q?turgut_kalfao=C4=9Flu?= <turgut@kalfaoglu.com>
Sun, 17 Mar 2024 20:21:31 +0300
> McDonald's has revealed the technical problems which brought much of its
> fast food chain to a standstill on Friday were caused by a third party
> provider.

What I fail to understand is why do all of the world's McDonald's stores
have to be online to be able to sell food?

It seems the more eggs you put in one basket, the more eggs you are going to
lose.

  [Chickens as well.  PGN]


Tesco and Sainsbury's working to fix technical issues that suspended food deliveries to customers (CNN)

Monty Solomon <monty@roscom.com>
Sun, 17 Mar 2024 00:55:39 -0400
https://www.cnn.com/2024/03/16/business/tesco-sainsburys-delivery-technical-issues/index.html


Anti-drone radio jammers marketed on Amazon and Google despite being outlawed by FCC rules

Steve Bacher <sebmb1@verizon.net>
Wed, 20 Mar 2024 16:15:55 -0700
Several online retailers and drone technology companies are marketing the
sale of radio frequency jammers as drone deterrence or privacy tools,
sidestepping federal laws that prohibit such devices from being offered for
sale in the U.S.  [Long item PGN-curtailed]

https://www.nbcnews.com/tech/security/drone-radio-frequency-jammer-signal-online-defense-technology-rcna135103


A ChatGPT for Music Is Here. Inside Suno, the Startup Changing Everything (Rolling Stone)

Steve Bacher <sebmb1@verizon.net>
Tue, 19 Mar 2024 06:53:20 -0700
AI music-generation illustration
www.rollingstone.com

Suno AI wants everyone to be able to produce their own pro-level songs with
artificial intelligence ” but what does that mean for artists?


Albertans have lost at least $156M to fraud this decade (CBC)

Matthew Kruk <mkrukg@gmail.com>
Fri, 22 Mar 2024 06:46:55 -0600
 Many others don't report the crime

https://www.cbc.ca/news/canada/edmonton/alberta-fraud-money-victims-1.71467=
51

Albertans have reported losing more than $156 million to fraudsters since
the start of this decade, with tens of millions more being taken each year.
But there hasn't been a coinciding rise in victims—in part, experts say,
because people are reluctant to come forward.

In 2023, roughly 2,900 Albertans lost more than $62.5 million to various
fraud schemes—up more than fivefold from the $11.3 million taken = from
about 2,600 people in 2020, data shows.

More than half the reported losses in the province last year were from
investment scams, particularly cryptocurrency frauds. Spear-phishing—when
scammers pretend to be legitimate sources to con businesses and people into
sending money—was the second-most lucrative type of fraud, taking= more
than $8.5 million from 72 people.


Chinese & Western Scientists Identify 'Red Lines' on AI Risks (Financial Times)

ACM TechNews <technews-editor@acm.org>
Wed, 20 Mar 2024 11:42:38 -0400 (EDT)
Cristina Criddle, Eleanor Olcott and Madhumita Murgia, *Financial
Times*, 18 Mar 2024, via ACM Tech News

A statement signed by Western and Chinese AI scientists warns that
Cold War-level global cooperation is necessary to avoid "catastrophic
or even existential risks to humanity within our lifetimes" resulting
from AI technology. At the International Dialogue on AI Safety in
Beijing, the experts established "red lines" on AI risks that no AI
system should cross, including the development of bioweapons and the
launch of cyberattacks. Signatories to the statement included ACM
A.M. Turing Award laureates Geoffrey Hinton and Yoshua Bengio, as well
as computer scientists Stuart Russell and Andrew Yao.


Unpatchable vulnerability in Apple chip leaks secret encryption keys (Ars Technica)

Victor Miller <victorsmiller@gmail.com>
Fri, 22 Mar 2024 02:14:23 +0000
Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars
Technica

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/


Apple has effectively abandoned HomeKit Secure Routers

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 20:12:17 -0400
https://appleinsider.com/articles/24/03/22/apple-has-abandoned-homekit-secure-routers-claim-vendors?utm_medium=rss


Paper about the gofetch attack

Victor Miller <victorsmiller@gmail.com>
Fri, 22 Mar 2024 02:16:49 +0000
https://gofetch.fail/files/gofetch.pdf


Why Tech Companies Are Not Your Friends: Lessons From Roku (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Fri, 22 Mar 2024 15:13:44 -0400
Roku recently changed its policy to make it even harder for customers to
take legal action. It’s a reminder of how we need to protect ourselves.

To Isaac Phillips, a software engineer in Tampa, Fla., this felt unfair.  So
he came up with a workaround to disconnect his Roku TV from the Internet and
use it as a normal TV without Roku’s apps, which include Netflix, Hulu and
other streaming services.

“It should belong to whoever paid for it,” Mr. Phillips said. “To lock
somebody out of it completely just doesn't seem right. It’s pretty
unacceptable.”

A Roku spokesman also provided a list of steps for those who wish to use
their Roku TVs as normal TVs without an Internet connection. It involves
pressing a button or pinhole on the back of the TV to reset the software and
skipping the step to set up the Internet connection.

https://www.nytimes.com/2024/03/20/technology/personaltech/roku-data-breach-companies.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

Why is it harder to opt out than it is to opt in? Because the companies are
legally allowed to do this.

I suggest that Roku customers follow those steps to opt out of the new terms
and hold on to what little power they have. I, for one, took this
opportunity to disconnect my Roku TV from the Internet and plug in a
different streaming device with less onerous terms, an old Apple TV. As for
a letter to opt out, I plan to use the AI chatbot ChatGPT to draft a testy
note.


Is your smart device safe from hackers? New FCC program will label cybersecure technology (LA Times)

Steve Bacher <sebmb1@verizon.net>
Wed, 20 Mar 2024 18:44:57 -0700
Internet-connecting devices that meet standards will soon come with a
"U.S. Cyber Trust Mark" to help consumers choose products that protect their
private information.

https://www.latimes.com/california/story/2024-03-19/new-program-will-label-smart-device-and-products-cybersecurity-safe

  Would you trust the Trust Mark?  I'm not sure.  I guess the consumer
  strategy would be to avoid buying devices that lack the Trust Mark rather
  than putting blind trust in the mark.


Hackers can unlock over 3 million hotel doors in seconds (ArsTechnica)

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 20:03:39 -0400
https://arstechnica.com/?p=2012114


Man Boarded Delta Flight Using Ticket Ruse (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 02:10:43 -0400
By taking pictures of other passengers’ boarding passes on their phones, the
man was able to board a Delta Air Lines flight in Salt Lake City on Sunday,
according to a federal complaint.

https://www.nytimes.com/2024/03/20/business/delta-unticketed-passenger-arrested.html


Never-before-seen data wiper may have been used by Russia against Ukraine (ArsTechnica)

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 20:09:52 -0400


UPS worker charged after $1.3M Apple product theft spree

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 20:16:05 -0400
https://appleinsider.com/articles/24/03/21/ups-worker-charged-after-13m-apple-product-theft-spree


Social Security program failed to properly notify people of huge fines, report finds (WashPost)

Monty Solomon <monty@roscom.com>
Thu, 21 Mar 2024 19:17:36 -0400
The Social Security Administration’s internal watchdog office failed to
properly notify some poor and disabled Americans before levying huge fines
on them, an investigation found.
https://wapo.st/3vsSwyb


FCC bans cable TV industry's favorite trick for hiding full cost of service (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 09:40:02 -0400
https://arstechnica.com/?p=2011532


Hype cycle meets rinse cycle: does dishwasher really need a mobile app? (Rob Pegoraro)

Gabe Goldberg <gabe@gabegold.com>
Sun, 17 Mar 2024 23:32:15 -0400
Years later than you might have expected, given my line of work, I’ve
finally hit the dubious milestone of owning a major appliance with its own
Internet Protocol address and mobile app“the Bosch dishwasher we procured as
part of an overdue and immensely-appreciated kitchen renovation.

https://robpegoraro.com/2024/03/16/hype-cycle-meets-rinse-cycle-does-my-dishwasher-really-need-a-mobile-app/

  Risks? Missing an app alert and the undocumented trash masher feature
  starting? Dishwasher organizing other appliances in rebellion against
  flaky power? Yet another malware attack surface?


LAUSD's new student advisor is an AI bot that designs academic plans, suggests books

Steve Bacher <sebmb1@verizon.net>
Fri, 22 Mar 2024 07:47:27 -0700
Los Angeles school officials say their new app lets students and parents, in
one place, find anything they need related to school and their specific
learning path.

The Los Angeles school district on Wednesday unveiled a much-awaited AI tool
named “Ed” to serve as a student adviser, programmed to tell its young users
and their parents about grades, tests results and attendance ” while giving
out assignments, suggesting readings and even helping students cope with
nonacademic matters.  [...]

https://www.latimes.com/california/story/2024-03-21/new-ai-tool-in-education-aspires-to-have-all-the-answers-for-l-a-students

  [We don't need no steenkin' teachers no more? or even parents for
  nonacademic matters?  PGN]


Lawyer warns 'integrity of the entire system in jeopardy' if rising use of AI in legal circles goes wrong (CBC)

Matthew Kruk <mkrukg@gmail.com>
Sun, 17 Mar 2024 10:18:02 -0600
https://www.cbc.ca/news/canada/nova-scotia/artificial-intelligence-lawyers-=
law-nova-scotia-1.7126732

As lawyer Jonathan Saumier types a legal question into ChatGPT, it spits
out an answer almost instantly.

But there's a problem—the generative artificial intelligence chatbot was
flat-out wrong.

"So here's a prime example of how we're just not there yet in terms of
accuracy when it comes to those systems," said Saumier, legal services
support counsel at the Nova Scotia Barristers' Society.

Artificial intelligence can be a useful tool. In just a few seconds, it can
perform tasks that would normally take a lawyer hours or even days.

But courts across the country are issuing warnings about it, and some
experts say the very integrity of the justice system is at stake.


I recommend DISABLING Google's new Chrome "real-time, privacy-preserving URL protection"

Lauren Weinstein <lauren@vortex.com>
Sat, 16 Mar 2024 13:13:37 -0700
It's up to you, but for now I recommend DISABLING Google's new Chrome
"real-time, privacy-preserving URL protection".

I'm getting a lot of questions about this, and I simply don't have
time right now to write this up in depth. So this will have to be
short (at least by my standards).

Google is implementing by default in Chrome a new system to expand
their detection of unsafe sites, via a complicated new real-time
system that sends hashes of URLs to a third-party, non-Google firm.

The details are in:

https://security.googleblog.com/2024/03/blog-post.html

Google's goal is laudable, but though it would probably be unfair of
me to call this system "Rube Goldberg-ish", it is definitely very far
from trivial.

I am in particular concerned about the ramifications of Chrome users
being connected by default to a completely non-Google entity to which
they are sending data, no matter how obfuscated that data may be.

While Google seems to be asserting that by creating a three-party
system (user, Google, outside firm) privacy is enhanced—and this
would appear to be true in theory—the possibilities for
interference by government or other entities seems increased with each
new player in the process. Also, users are now dealing with an
additional set of policies (and legal departments), that of Google and
that of the third party. Nor (as far as I know) has the contractual
basis of the relationship between Google and this third party been
made public.

There may be nothing at all wrong with this arrangement. But frankly,
the introduction of a third party and other aspects of this system
have raised a caution warning for me, especially when this is enabled
by default.

So my recommendation for now is to turn off this feature, until
significantly more is known about it in the respects I've mentioned
above and others. This is completely up to you of course. You may wish
to keep the Google default that uses this system and have the
additional protection, and may not be at all concerned about the other
issues I've mentioned. Absolutely your choice.

I do invite Google to contact me with more information about these
issues if they wish to do so. -L


Why Tech Companies Are Not Your Friends: Lessons From Roku (NYTimes)

"Jim" <jgeissman@socal.rr.com>
Wed, 20 Mar 2024 10:48:05 -0700
Roku recently changed its policy to make it even harder for customers to
take legal action. It's a reminder of how we need to protect ourselves.

https://www.nytimes.com/2024/03/20/technology/personaltech/roku-data-breach-
companies.html?unlocked_article_code=1.eE0.xzdb.HCSnU1ujiRmT


Re: Risks of Leap Years and Dumb Digital Watches (Shapir, R-34..10)

Mark Brader <msb@Vex.Net>
Sun, 17 Mar 2024 06:13:54 -0400 (EDT)
The year on my Timex watch cannot be set outside the range 2000-2099.


Re: AT&T proposals to kill landlines and more in California

Lauren Weinstein <lauren@vortex.com>
Thu, 14 Mar 2024 17:53:40 -0700
The count of comments at the CPUC (overwhelmingly negative) on the main
proposal has now exceeded 5000, and it's no longer possible to know exactly
how many there are, since "Over 5000" is as high as their counter runs. -L

https://apps.cpuc.ca.gov/apex/f?p=401:65:0::NO:RP,57,RIR:P5_PROCEEDING_SELECT:A2303003


Re: Hackers Breached Key Microsoft Systems (RISKS-34.11)

"Bernie Cosell" <bernie@fantasyfarm.com>
Sat, 16 Mar 2024 18:33:50 -0400
Any hint as to *how* they compromised the entire corporate email system?  I
know how they can nail individual email addresses, but how do they leap from
that to invading the entire system?

Please report problems with the web pages to the maintainer

x
Top